ZmnSCPxj [ARCHIVE] on Nostr: 📅 Original date posted:2021-07-27 📝 Original message: Good morning aj, and ...
📅 Original date posted:2021-07-27
📝 Original message:
Good morning aj, and list,
> > I don't think you can reliably hide that you forgot some state?
Thinking a little more --- *why* do we need to hide that we forgot some state?
The reason is that if your peer learns you forgot state, the peer can pass off obsolete state onchain, thereby stealing funds from you before you can recover your data.
But if some completely random node that is ***not*** your peer and has ***no*** channels with you is holding your memento, then there is no need to worry --- even if you tell them "actually I forgot my state" they have no obsolete state to hurt you with.
Suppose that nodes provide a "will remember for you" flag in the feature bits.
Now, your node can then use a secret distance measurement --- for example, it could take the keyed hash (with your node privkey as key) of every "will remember for you"-advertising node, then look for the hash that is numerically lowest.
Locating the "nearest" node, your node then contacts that node and asks them to remember our memento.
Now, your node should not be using its "normal" pubkey for this, instead, it should generate a "throwaway" keypair derived from its privkey plus the pubkey of the selected node.
--
After your node hits its head and becomes amnesiac, you provide it with the privkey (which can be represented as some words).
The node then re-downloads gossip map, and uses the same secret distance measurement to find, say, the 100 "nearest" nodes with the "will remember for you" feature.
Assuming the gossip map has not changed too much since before the amnesia event, then it is likely that the previously selected node is still in the nearest 100 nodes.
Your node will then iterate over the nearest 100 nodes, starting with the nearest, and re-derive the "throwaway" keypair and ask each node if it holds a memento for that pubkey.
Since your node contacts them using a throwaway keypair that is not correlatable with your normal node pubkey, even if they are conspiring with your channel peers, the "will remember for you" node cannot identify that your node has suffered amnesia, it only knows that *some* node *somewhere* suffered amnesia.
This implies as well that the selected node can even be your peer, and it will still not be sure that the amnesiac node is you or might be somebody else completely.
--
Of course, the anonymous nature of the client requesting data storage is a problem, as this feature is now vulnerable to abuse and DDoS.
As a spam prevention, such a "will remember for you" node can use any number of techniques developed for anonymously paying to watchtowers, which have a similar "need to pay for anonymous storage to prevent DoS" problem.
Regards,
ZmnSCPxj
📝 Original message:
Good morning aj, and list,
> > I don't think you can reliably hide that you forgot some state?
Thinking a little more --- *why* do we need to hide that we forgot some state?
The reason is that if your peer learns you forgot state, the peer can pass off obsolete state onchain, thereby stealing funds from you before you can recover your data.
But if some completely random node that is ***not*** your peer and has ***no*** channels with you is holding your memento, then there is no need to worry --- even if you tell them "actually I forgot my state" they have no obsolete state to hurt you with.
Suppose that nodes provide a "will remember for you" flag in the feature bits.
Now, your node can then use a secret distance measurement --- for example, it could take the keyed hash (with your node privkey as key) of every "will remember for you"-advertising node, then look for the hash that is numerically lowest.
Locating the "nearest" node, your node then contacts that node and asks them to remember our memento.
Now, your node should not be using its "normal" pubkey for this, instead, it should generate a "throwaway" keypair derived from its privkey plus the pubkey of the selected node.
--
After your node hits its head and becomes amnesiac, you provide it with the privkey (which can be represented as some words).
The node then re-downloads gossip map, and uses the same secret distance measurement to find, say, the 100 "nearest" nodes with the "will remember for you" feature.
Assuming the gossip map has not changed too much since before the amnesia event, then it is likely that the previously selected node is still in the nearest 100 nodes.
Your node will then iterate over the nearest 100 nodes, starting with the nearest, and re-derive the "throwaway" keypair and ask each node if it holds a memento for that pubkey.
Since your node contacts them using a throwaway keypair that is not correlatable with your normal node pubkey, even if they are conspiring with your channel peers, the "will remember for you" node cannot identify that your node has suffered amnesia, it only knows that *some* node *somewhere* suffered amnesia.
This implies as well that the selected node can even be your peer, and it will still not be sure that the amnesiac node is you or might be somebody else completely.
--
Of course, the anonymous nature of the client requesting data storage is a problem, as this feature is now vulnerable to abuse and DDoS.
As a spam prevention, such a "will remember for you" node can use any number of techniques developed for anonymously paying to watchtowers, which have a similar "need to pay for anonymous storage to prevent DoS" problem.
Regards,
ZmnSCPxj